<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>2018/01/09 Advisory: Spectre / Meltdown</h2> <p style="background-color:#FFCC77"> <b>This page covers ongoing efforts and may be updated (latest: 2018-01-18).</b> </p> <p> The beginning-of-the-year has been dominated by the security vulnerabilities known as <a href="https://spectreattack.com/">"Meltdown" and "Spectre"</a>. "Meltdown" breaks down the boundary that separates user applications from accessing privileged system memory space. This vulnerability is confirmed to exist in all Intel processors since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo. "Spectre" is similar but allows an attacker to utilize a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre is confirmed to affect Intel, AMD, and ARM processors. This includes computers, tablets and smartphones made by popular vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo. The relatively good news is that Spectre is much more difficult to successfully exploit as its the attack surface is limited to user space processes, e.g. web browsers, desktop applications. Also, while there are proof-of-concepts out in the wild, there has been no systematic exploitation of either Spectre or Meltdown reported yet. Still, we recommend to all users to keep their systems up-to-date using the standard (automatic) update mechanisms of their Windows, Linux, Mac, Android or iOS devices. </p><p> <b>Please note that not taking any action is not an option as this will render your device exploitable!</b> </p><p>Finally, this might just be the beginning. Security researchers as well as the malicious evil are now moving the focus to other, similar hardware-related vulnerabilities. Some might be published in the future and would require another iteration of applying fixes… </p> <h4>Definitions</h4> <p>Please note that the nomenclature is a bit fuzzy, but of importance: <ul> <li>Bounds check bypass (<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5753">CVE-2017-5753</a>), dubbed "Variant 1" or "Spectre"</li> <li>Branch target injection (<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5715">CVE-2017-5715</a>), dubbed "Variant 2" or "Spectre"</li> <li>Rogue data cache load (<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5754">CVE-2017-5754</a>), dubbed "Variant 3" or "Meltdown"</li> </ul> <h4>Variant 2</h4> <p style="background-color:#FFCC77"> A fix to this variant depends strongly on the CPU hardware. Neither Microsoft nor RedHat provide at this very moment (2018018-12h) a fix. Instead, these fixes would need to be provisioned by the corresponding hardware vendors. CERN IT is in contact with those vendors and will publish/apply fixes once those are available. </p> <h4>Your Strategy for Variant 1 & 3</h4> <ul> <li>For <b>CERN CentOS7 and SLC6</b>, fixes have been made available for testing through the CERN Linux software “test”/QA repositories. These are released to production on Thursday, January 11th, 2018. However, those fixes might not be the final ones. In any case, in order to be active, they would require a restart of the operating system. Details can be found on <a href="https://cern.service-now.com/service-portal/view-outage.do?n=OTG0041699">the CERN Status Board</a>;</li> <li>For <b>CERN centrally managed Windows devices</b>, fixes are available through CMF as of Wednesday, January 10th, 2018. In order to be active, they would require a restart of the operating system;</li> <li>For <b>Macs</b>, please upgrade to macOS 10.13.2 (latest version of High Sierra) and make sure all available security updates are installed. A more detailed statement of Apple can be found <a href="https://information-technology.web.cern.ch/services/fe/mac-support/howto/about-meltdown-and-spectre">here</a>; <li><b>Individual, non-CERN managed devices</b> (private or CERN; office PCs, laptops, smart phones, …) should be updated using the standard updating mechanisms (be it CMF, Windows upgrade, yum update, …) and subsequently rebooted. We are basically at the mercy of the operating system providers to produce the relevant fixes for the right hardware (i.e. the CPU chip set). Hence, some devices might not be fixed at any moment in time. Others might need to be updated more than once, as further fixes are deployed. Hence, it is imperative that automatic updating mechanisms are enabled as part of standard good security practices. In case you us "Chrome" as your standard browers, we recommend in addition to enable <a href="https://support.google.com/chrome/answer/7623121?hl=en-GB">site isolation</a>;</li> <li><b>Virtual machines in the CERN Computer Centre</b> can already try out the fixes which have been pushed into Puppet Q&A. Corresponding studies are on-going within CERN / CERN IT and the WCLG / HEP community. Please note that these fixes just correct for Variant 1 and 3. Variant 2 would require the underlying Hypervisors to be fixed, too (see next point);</li> <li>For <b>Hypervisors in the CERN Computer Centre</b>, the CERN IT Cloud Team are performing functional and performance testing of the provided fixes, and have defined a roll-out schedule. This will require all VMs to be hard-rebooted to protect themselves against Variant 2. As they would require the restart, too, a careful rebooting campaign for each availability zone is scheduled for the next weeks. The corresponding schedule and all technical details are announced on the <a href="https://cern.service-now.com/service-portal/view-outage.do?n=OTG0041682">CERN Status Board</a> and will be updated there;</li> <li>The <b>WLCG and the EGI</b> are currently applying a similar strategy to all Grid nodes.</li> </ul> <h4>Tools</h4> <ul> <li>A shell script to tell if your Linux installation is vulnerable against Variant 3: <a href="spectre-meltdown-checker.sh">spectre-meltdown-checker.sh</a></li> <li>A shell script to tell if a CPU microcode update is available for your CPU: <a href="spectre-cpu-microcode-checker.sh">spectre-cpu-microcode-checker.sh</a></li> </ul> <h4>Credits</h4> <ul> <li><a href="https://blogs.gwu.edu/gwinfosec/2018/01/05/meltdown-and-spectre-security-vulnerabilities-what-you-can-do-now/">George Washington University</a></li> <li><a href="https://github.com/speed47/spectre-meltdown-checker">Spectre & Meltdown Checker</a></li> </ul> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <img center src="/images/bigstock-Danger-warning-sign-50398103_modified.jpg" width=121.5%/> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>